Nein, überhaupt nicht. 
Besser noch geeignet als das Custom Script ist die Ausgabe von iptables -S. Ich melde mich nochmal …
… und zwar jetzt.
Das hier ist die editierte und entsprechend gekürzte Ausgabe meines iptables -S. Habe ich nicht getestet. Könnte aber funktionieren. 
Ich hoffe, ich habe nichts übersehen.
Hier noch der obligatorische Disclaimer für/gegen simples Copy&Paste:
Keine Garantie, Benutzer sollten wissen und verstehen, was sie tun. Die Kommentare sollte man lesen und beachten. Nur für IPv4 und nur für WiFi-Hotspot über mobile Daten gedacht. Whitelist modus (Allow selected) und enable inbound connections werden als angewählt vorausgesetzt, ebenso -12 - DHCP+DNS-Dienste für WiFi und mobile Daten (3G), Tor control stattdessen als abgewählt. DNS Proxy ist Auto oder Enabe DNS via netd, Log Target ist LOG. UID Nummern können von OS zu OS variieren, ebenso WiFi Interface Bezeichnungen und verwendeter WiFi-Hotspot IP-Adressbereich.
Viel Erfolg. 
####
# Full paths of binaries to use ($IPTABLES is already set) - adapt according to your OS
###
BIN_TRUE=/system/bin/true
####
# DROP INPUT and FORWARD until chains are re-created
###
$IPTABLES -P INPUT DROP
$IPTABLES -P FORWARD DROP
####
# own log-drop chain - follows rule syntax of afwall-reject
###
# create or flush
$IPTABLES -N afwall-custom-drop || $IPTABLES -F afwall-custom-drop
# !!! ATTENTION: adapt next rule if according to the rule found within afwall-reject !!!
$IPTABLES -A afwall-custom-drop -m limit --limit 1000/min -j LOG --log-prefix "{AFL}" --log-tcp-options --log-ip-options --log-uid
$IPTABLES -A afwall-custom-drop -j DROP
####
# own forward chain
###
# create or flush
$IPTABLES -N afwall-custom-forward || $IPTABLES -F afwall-custom-forward
# allow packets into local WiFi-HOTSPOT network - only for connections initiated within local WiFi-HOTSPOT network
# !!! ATTENTION: wlan+ may be different on your OS (AFWall+ also considers as wifi: eth+, tiwlan+, ra+, bnep+ ) !!!
# !!! ATTENTION: WiFi-HOTSPOT network IP-address range may be different on your OS, please check with ip addr !!!
$IPTABLES -A afwall-custom-forward -d 192.168.43.0/24 -o wlan+ -m state --state ESTABLISHED,RELATED -j RETURN
# allow packets originating within local WiFi-HOTSPOT network
# !!! ATTENTION: wlan+ may be different on your OS (AFWall+ also considers as wifi: eth+, tiwlan+, ra+, bnep+ ) !!!
# !!! ATTENTION: WiFi-HOTSPOT network IP-address range may be different on your OS, please check with ip addr !!!
$IPTABLES -A afwall-custom-forward -s 192.168.43.0/24 -i wlan+ -j RETURN
# log-drop everything else
$IPTABLES -A afwall-custom-forward -j afwall-custom-drop
# add to FORWARD chain at first position
$IPTABLES -D FORWARD -j afwall-custom-forward || $BIN_TRUE
$IPTABLES -I FORWARD 1 -j afwall-custom-forward
####
# OUTPUT chain - general
###
# allow localhost packets - for symmetry with INPUT chain
$IPTABLES -A afwall -o lo -j RETURN
####
# INPUT chain - enable Enable inbound connections for it
###
# allow localhost packets
$IPTABLES -A afwall-input -i lo -j RETURN
# allow packets for locally initiated connections
$IPTABLES -A afwall-input -m state --state ESTABLISHED,RELATED -j RETURN
# allow late DHCP replies / broadcasts
$IPTABLES -A afwall-input -p udp --sport 67 --dport 68 -j RETURN
# allow DHCP requests from local WiFi-HOTSPOT network
# !!! ATTENTION: wlan+ may be different on your OS (AFWall+ also considers as wifi: eth+, tiwlan+, ra+, bnep+ ) !!!
$IPTABLES -A afwall-input -i wlan+ -p udp --sport 68 --dport 67 -j RETURN
# allow DNS requests from local WiFi-HOTSPOT network
# !!! ATTENTION: wlan+ may be different on your OS (AFWall+ also considers as wifi: eth+, tiwlan+, ra+, bnep+ ) !!!
$IPTABLES -A afwall-input -i wlan+ -p udp --dport 53 -j RETURN
$IPTABLES -A afwall-input -i wlan+ -p tcp --dport 53 -j RETURN
# log-drop everything else
$IPTABLES -A afwall-input -j afwall-custom-drop
####
# OUTPUT chain - WiFi only
###
# allow DHCP replies / broadcasts to local WiFi-HOTSPOT network in case no internet connection is available
# AFWall+ generates these rules (amongst others) within afwall-wifi-tether as well
# if [-12](Tethering) - DHCP+DNS-Dienste is enabled for WiFi and internet connection is available
# !!! ATTENTION: the --uid-owner numbers may vary depending on OS - lookup at least the afwall-wifi-tether rules !!!
$IPTABLES -A afwall-wifi -p udp --sport 67 --dport 68 -m owner --uid-owner 0 -j RETURN
$IPTABLES -A afwall-wifi -p udp --sport 67 --dport 68 -m owner --uid-owner 9999 -j RETURN
$IPTABLES -A afwall-wifi -p udp --sport 67 --dport 68 -m owner --uid-owner 1073 -j RETURN
####
# ACCEPT INPUT and FORWARD
###
$IPTABLES -P INPUT ACCEPT
$IPTABLES -P FORWARD ACCEPT
Update: Folgendes Custom shutdown script benötigt man noch.
####
# Full paths of binaries to use ($IPTABLES is already set) - adapt according to your OS
###
BIN_TRUE=/system/bin/true
####
# INPUT chain - Enable inbound connections may have been disabled in the mean time
###
# remove from INPUT chain
$IPTABLES -D INPUT -j afwall-input || $BIN_TRUE
####
# own forward chain
###
# remove from FORWARD chain
$IPTABLES -D FORWARD -j afwall-custom-forward || $BIN_TRUE